



This guide explains how to configure Cloudflare Access as a single sign-on provider for Google Workspace accounts.

1. Create an application with Zero Trust

Log in to Zero Trust. External link icon Open an external link,[アクセス]>[アプリケーション]Go to.

Select a SaaS application.

Enter the following information:

Application: Google.Entity ID: google.comAssertion Consumer Service URL: https://www.google.com/a/ /acs, where is your Google Workspace domain. Name ID Format: Email. Putting Google Workspace behind Access prevents a user from logging in using Google or Google Workspace as her identity provider.

On the next page, create an access policy for your application. For example, you can allow users with email addresses of @your_domain.com.

The next page shows the SSO endpoint, access entity ID or issuer, and public key. These values ​​are used to configure Google Workspace.

2. Create a certificate from your public key

Copy the public key and paste it into a text editor.

Enclose the certificate in —–BEGIN CERTIFICATE—– and —–END CERTIFICATE—–. for example,

—–BEGIN CERTIFICATES—–

—–Certificate End—–

Set the file extension to .crt and save.

3. Create an SSO provider in Google Workspace. Log in to your Google Admin console. External link icon Opens an external link.[セキュリティ]>[認証]>[サードパーティ IdP による SSO]Go to. Select your organization’s third-party SSO profile.[サードパーティによる SSO のセットアップ]Enable Party Identity Provider. Enter the following information: Sign-in page URL: Copy and paste the SSO endpoint from Zero Trust. Sign-out page URL: https:// .cloudflareaccess.com/cdn-cgi/access/logout, where is the Zero Trust team name. Certificate Validation: Upload the certificate file containing the public key. (option)[ドメイン固有の発行者の使用]Enable If you choose this option, Google will send a unique issuer to your Google Workspace domain (google.com/a/). instead of the standard google.com). 4. Test the integration

To test the integration, open an incognito browser window and go to https://mail.google.com/. The Access login screen is displayed.

troubleshooting

Error: G Suite – This account cannot be accessed because your login credentials could not be verified.

If you get this error, your public and private keys may not match. Make sure the certificate file contains the correct public key.

